Wireshark-users: Re: [Wireshark-users] TCP reassemble question

From: Bo Xu <xubo.leo@xxxxxxxxx>
Date: Mon, 17 May 2010 17:30:58 +0800
Hi Sake
    
   Thank you very much.
    This does help . 
BR
Xu Bo

On Mon, May 17, 2010 at 1:21 AM, Sake Blok <sake@xxxxxxxxxx> wrote:
On 16 mei 2010, at 15:40, Bo Xu wrote:

> Wireshark can reassemble the tcp packets which is very cool feature.
> For example ,If  the reassemble option is disabled in the  preference,  assume #9 and #10 are carrying the whole piece information , there will be  these 2 prompt line in #9  :
>
> Numer of bytes in flight :1460
> Last frame of this PDU : 10
>
> I would like to know how wireshark know these TCP segments are together  ?

TCP is a streaming protocol, which means it just transmits the data it receives from an application to the receiving application on the receiving end. It has no knowledge of protocol data unit (PDU) bounderies. Just like the receiving application must know where the bounderies of each PDU are, the dissector the protocol that runs on top of TCP must know how to determine if the PDU is split over multiple TCP segments. And if it is, it tells the TCP dissector to collect more data. This goes on until it knows it has enough data to dissect a whole PDU.

Hope this helps,
Cheers,
    Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe